We have a topo with 3x IPA servers + freeradius.
Freeradius is being used to do mschap with wifi APs. Freeradius connects
over ldap to IPA.
In order to do the challange-response thing, freeipa has AllowNTHash
So I wanted to enable 2FA/OTP but leave the NTHash as is for wifi auth.
In the moment I disallow Password auth for a user and enable OTP the wifi
auth stopps working, but the hash clearly stays in ldap.
The goal is to stay with password on freeradius but for everything else:
kerberos/sssd related use password+code.
How can I disable password login for user but still make freeradius work
with ldap, so when it asks for users hash it gets one.
Freeradius ldap mod snippet:
"base_dn = "cn=users,cn=accounts,dc=cs,dc=com""
Network Security Engineer
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project